[libvirt-users] libvirt, selinux, moving images to ~/images does not work

yue libvirt at 163.com
Mon Apr 8 07:06:01 UTC 2013 

Hi,
im my case , it works.
MAC is after DAC, so you should confirm libvird has the permission to your home dir.
 

thanks




At 2013-04-08 14:53:36,"Alexey Kardashevskiy" <aik at ozlabs.ru> wrote:
>Hi!
>
>I am trying libvirt on POWERPC64 with the default settings such as selinux 
>enabled. It is all good till I move images out of /var/lib/libvirt/images/.
>
>http://libvirt.org/drvqemu.html#securityselinux is saying that "If 
>attempting to use disk images in another location, the user/administrator 
>must ensure the directory has be given this requisite label. Likewise 
>physical block devices must be labelled system_u:object_r:virt_image_t.".
>
>So did I:
>
>[root at vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images
>drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg
>drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images
>
>[root at vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images
>/home/aik/virtimg:
>-rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 
>Fedora-18-ppc64-DVD.iso
>
>/var/lib/libvirt/images:
>-rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest
>
>
>However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with
>"avc:  denied  { dac_override }" and "avc:  denied  { dac_read_search }". 
>Also, there is "user system_u is not defined" in /var/log/messages what is 
>confusing as "semanage user -l" says it is there.
>
>If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the 
>problem goes away and everything works fine.
>
>
>I am running custom build 3.8 kernel and libvirt from git ("eebbb23 qemu: 
>support URI syntax for NBD").
>
>More detailed output is below, this is all from the host system.
>
>
>What do I miss? Thank you.
>
>
>[root at vpl2 ~]# tail /var/log/messages
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: 
>could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user 
>system_u is not defined
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could 
>not create context structure
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could 
>not create context structure
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: 
>could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user 
>system_u is not defined
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could 
>not create context structure
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could 
>not create context structure
>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: 
>could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
>Apr  8 16:47:48 vpl2 libvirtd[5041]: failed to connect to monitor socket: 
>No such process
>
>
>[root at vpl2 ~]# semanage user -l
>
>                 Labeling   MLS/       MLS/
>SELinux User    Prefix     MCS Level  MCS Range 
>SELinux Roles
>
>git_shell_u     user       s0         s0 
>git_shell_r
>guest_u         user       s0         s0                             guest_r
>root            user       s0         s0-s0:c0.c1023 
>staff_r sysadm_r system_r unconfined_r
>staff_u         user       s0         s0-s0:c0.c1023 
>staff_r sysadm_r system_r unconfined_r
>sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
>system_u        user       s0         s0-s0:c0.c1023 
>system_r unconfined_r
>unconfined_u    user       s0         s0-s0:c0.c1023 
>system_r unconfined_r
>user_u          user       s0         s0                             user_r
>xguest_u        user       s0         s0                             xguest_r
>
>
>
>[root at vpl2 ~]# tail /var/log/audit/audit.log
>type=NETFILTER_CFG msg=audit(1365403596.177:4507): table=nat family=2 
>entries=60
>type=NETFILTER_CFG msg=audit(1365403596.177:4508): table=nat family=2 
>entries=61
>type=AVC msg=audit(1365403606.017:4509): avc:  denied  { dac_override } for 
>  pid=8944 comm="qemu-system-ppc" capability=1 
>scontext=system_u:system_r:svirt_t:s0:c574,c809 
>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>type=AVC msg=audit(1365403606.017:4510): avc:  denied  { dac_read_search } 
>for  pid=8944 comm="qemu-system-ppc" capability=2 
>scontext=system_u:system_r:svirt_t:s0:c574,c809 
>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>type=AVC msg=audit(1365403606.017:4511): avc:  denied  { dac_override } for 
>  pid=8944 comm="qemu-system-ppc" capability=1 
>scontext=system_u:system_r:svirt_t:s0:c574,c809 
>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>type=AVC msg=audit(1365403606.017:4512): avc:  denied  { dac_read_search } 
>for  pid=8944 comm="qemu-system-ppc" capability=2 
>scontext=system_u:system_r:svirt_t:s0:c574,c809 
>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>type=AVC msg=audit(1365403606.017:4513): avc:  denied  { dac_override } for 
>  pid=8944 comm="qemu-system-ppc" capability=1 
>scontext=system_u:system_r:svirt_t:s0:c574,c809 
>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>type=AVC msg=audit(1365403606.017:4514): avc:  denied  { dac_read_search } 
>for  pid=8944 comm="qemu-system-ppc" capability=2 
>scontext=system_u:system_r:svirt_t:s0:c574,c809 
>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>type=AVC msg=audit(1365403606.017:4515): avc:  denied  { dac_override } for 
>  pid=8944 comm="qemu-system-ppc" capability=1 
>scontext=system_u:system_r:svirt_t:s0:c574,c809 
>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>type=AVC msg=audit(1365403606.017:4516): avc:  denied  { dac_read_search } 
>for  pid=8944 comm="qemu-system-ppc" capability=2 
>scontext=system_u:system_r:svirt_t:s0:c574,c809 
>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>
>
>
>
>[root at vpl2 ~]# libvirtd --version
>libvirtd (libvirt) 1.0.3
>[root at vpl2 ~]# yum info policycoreutils
>[...]
>Arch        : ppc64
>Version     : 2.1.13
>Release     : 59.fc18
>Size        : 3.8 M
>
>[root at vpl2 ~]# cat /etc/fedora-release
>Fedora release 18 (Spherical Cow)
>
>[root at vpl2 ~]# uname -a
>Linux vpl2.ozlabs.ibm.com 3.8.0-kvm-64k-aik+ #376 SMP Mon Apr 8 14:40:40 
>EST 2013 ppc64 ppc64 ppc64 GNU/Linux
>
>[aik at vpl2 ~]$ cat libvirtguest-aik.xml
><domain type='kvm'>
>	<name>AikLibvirtTest</name>
>	<memory>2097152</memory>
>	<vcpu>2</vcpu>
>	<os>
>		<type arch='ppc64' machine='pseries'>hvm</type>
>		<boot dev='cdrom'/>
>		<boot dev='hd'/>
>	</os>
>	<clock offset='utc'/>
>	<devices>
>		<emulator>/usr/local/bin/qemu-system-ppc64</emulator>
>		<disk type='file' device='disk' >
>			<driver name='qemu' type='raw'/>
>			<source file='/var/lib/libvirt/images/fc18guest'/>
>			<target dev='sda' bus='scsi'/>
>		</disk>
>		<disk type='file' device='cdrom' >
>			<driver name='qemu' type='raw'/>
>			<source file='/home/aik/virtimg/Fedora-18-ppc64-DVD.iso'/>
>			<target dev='sdc' bus='scsi'/>
>			<readonly/>
>		</disk>
>		<serial type='pty'>
>			<target port='0'/>
>		</serial>
>		<console type='pty'>
>			<target type='serial' port='0'/>
>		</console>
>		<memballoon model='virtio'/>
>	</devices>
>
></domain>
>
>
>
>-- 
>Alexey
>
>_______________________________________________
>libvirt-users mailing list
>libvirt-users at redhat.com
>https://www.redhat.com/mailman/listinfo/libvirt-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130408/21b509ee/attachment.htm>

More information about the libvirt-users mailing list